Just over a month ago, I enjoyed a series of bad-tempered Twitter exchanges with Benjamin Falk, Founder and “Chief Talker” of the personal data outfit Yo-Da. Falk has an interesting perspective on Data Protection. Instead of coming to DP through the traditional routes of information management, security, governance or the law, Falk is an ‘information economist’. He doesn’t see the subject as an issue of human rights, instead looking at it through the prism of economics. Because Data Protection is concerned with information, and there are other contexts where information is a commodity traded in a market, Falk has had the revelation that the processing of personal data is just another market, and this is the only way to understand it. Falk perceives this market as a ‘dumpster fire‘, and he alone has the solution. He has founded what he calls the “world’s first Personal Data agency” and hopes to lure people into signing up for an ill-defined service that he asserts will put them in control of their information. Somewhere along the way, money will be made.
Falk has some eye-catching ways to explain the ‘market’ he seeks to disrupt:
“personal data is best understood as a newspaper that we publish about ourselves, whether we like it or not“.
Sometimes, he thinks personal data is “a really really boring autobiography, it’s just information about yourself written down somewhere“.
Falk’s view of data subjects is that they are “an author with an information rights management problem”
I can imagine that if a person had, say, an AI program and they had to persuade gullible investors to buy into a wheeze that hadn’t really been worked out properly, this kind of eye-catching guff might get them going. However, it’s nonsense. Most personal data isn’t published or created for public consumption like a newspaper (indeed, many people have laboured for years under the misapprehension that personal data in the public domain isn’t personal data at all). Equally, a lot of personal data doesn’t fit Falk’s favourite analogy of a ‘robo-biography‘ because it is generated by people and not machines. You can’t simplify a million different controllers doing things for themselves in a million different ways. It’s complicated.
As Yo-Da’s website says, users will be able to “discover, fetch, control and erase” personal data from “any company operating in Europe”. However, the first thing you see on Yo-Da’s homepage is the following: “who earns from your personal data? everyone but you“. Falk also wants people to monetise their data. There’s not much detail however, making me wonder Falk has got this far by saying ‘AI’ a lot without a clear idea of how that will translate to the power he claims to put in subjects’ hands. After all, in order to work, Yo-Da needs to be able to successfully obtain and amalgamate data held on millions of different systems, in thousands of formats, processed for a host of different reasons by a multitude of businesses as varied as Apple, Tesco, 2040 Training and the Friendly Furry Shop. I’d like to see this in action.
The idea of individuals monetising their data is common to survey platforms like YouGov and CitizenMe, while Paul Olivier-Dehaye has been touting the automation of SARs and other data rights for years. A mock-up of the Yo-Da app shows data obtained from Starbucks (including how many coffees the user has drunk) with a suggestion at the bottom that this data be combined with that information from Transport for London or NHS England. Rather than selling data at scale like most data brokers, Yo-Da seems to encourage subjects to obtain vast quantities of data about themselves (the app shows a user having obtained data from 1200 companies) to create a “rich personal database” which presumably the user will then sell with Yo-Da’s assistance.
Falk’s ambitions are not limited to data monetisation. Yo-da, he claims, will stop subject’s rights from being infringed. The ‘dumpster fire’ of poor data protection practice in the UK is the fault of greedy consultants like me who ensure that our clients don’t actually comply with the law so we can keep charging them. Like Hercules diverting rivers to sluice the Augean stables, Falk’s tweets demonstrated a belief that Yo-Da will wipe Data Protection clean. Solving DP’s many problems is “easy to do“, he says, it’s just that nobody has actually tried (take that, Liz Denham). I don’t see how, but even if you believe that Yo-Da’s data jumble sale could change the face of DP forever, it can surely only do so if millions of people participate. Even if thousands of people sign up, Yo-Da will barely scratch the surface of how much personal data is processed across the UK and the EU. People will still be obliged to provide their data to pay their taxes, claim their benefits, use the NHS, set up a bank account or a mortgage, or be employed. The ability to get a slice of your data (it won’t be all of it) and possibly hawk it to dodgy data brokers (about the only people who I can imagine might buy it) won’t change that, and would do nothing to stop DeepMind, lost discs, the Met Police’s use of facial recognition or hospitals letting TV companies film vulnerable women without consent.
Moreover, just imagine how Yo-Da could go wrong if it actually works. At the moment, the fact that the different aspects of your life are often held in silos is wholly to your advantage from a data protection perspective. Capitalism is trying to connect the various loose ends of your life, but there are limits. As a middle aged man with middling health, the NHS doesn’t know how often I drink coffee at Starbucks, or how regularly I get the Tube in London rather than using a TfL bike (I would like to confirm to my GP that I never drink coffee in Starbucks and I have only used the Tube once this year on my many visits to the capital). But what else could be added? Could Yo-Da include how many orders from Beers of Europe I make? How often I go to SoLita for a burger? Yo-Da is selling a seductive idea – one might almost paraphrase it as ‘take back control’, but it probably contains the same risk of unintended consequences as that rancid propaganda. Falk positions his company as the saviour of privacy rights, but he’s encouraging people to conspire in their own exploitation by creating an intrusive and potentially prejudicial data cocktail and then flogging it to the highest bidder.
I’m ignoring the practical problem that the key to driving his plan is subject access requests, and SARs rarely provide a seamless, rich repository of information, ready to be amalgamated and exploited. SAR disclosures are often messy and incomplete, a patchwork left behind by the removal of third parties and exempt data, and often delivered in PDFs. Only data supplied direct to the controller by the subject or obtained under observation has to be supplied in a portable form. There are legitimate reasons to refuse requests altogether. Falk has asserted repeatedly that “ownership and rights mean the same thing“, and so subjects own their data, but this won’t be any help to his business model. Subjects own the copy of the data that they receive from their SAR, but that doesn’t give them automatic access to any and all data held. They don’t own the data held by the controller. The promises of control and erasure made on the Yo-Da website are embarrassingly simplistic – you can’t object to a controller processing your data under contract or legal obligation or ask them to erase the data. They can resist an erasure request because they need to establish, exercise or defend a legal claim. Only someone who doesn’t understand how limited the GDPR rights of objection are would make the grandiose claim that “Yo-Da… lets you control who processes your information“. No, it doesn’t. It never will, because the GDPR doesn’t do that.
I think Falk’s claims are hype and his understanding of data protection is fundamentally flawed. Moreover, I don’t trust him. During the period that I spent arguing with the Yo-Da Twitter account, it became clear that I wasn’t just dealing with one person. There were two distinct personalities, inverted versions of the dual identities in Hitchcock’s Psycho. The Norman Bates character – relentlessly polite no matter what the provocation, endlessly ingratiating – is fake, a bot unleashed by Falk to fool people into thinking they’re dealing with a real person. Mrs Bates – the bitter, angry and resentful persona that occasionally lashes out – is real, presumably Falk himself, unable to let the upbeat-to-the-point-of-being-deranged program do all of the talking. Falk called me a jerk for accusing him of being a bot when actually, he was just being “unswervingly polite“. In the end, he had to admit that I was right and that he was using a bot. Ethics is Data Protection’s flavour of the month, and I’m not sure that such duplicitous behaviour will fit in.
Despite the fact that Yo-Da hasn’t launched yet, the website mysteriously features testimonials from happy users, while one of the three case studies highlighting how the service works using happy Yo-Da customers is actually just Falk himself. Falk wants to charge people to use their DP rights. Somewhere in our bickering, either Falk or the bot told me that Yo-Da would be a monthly subscription based on what users can afford, but there’s no hint of that on the website. It’s the same model that Dehaye originally proposed for PersonalData.Io – just as GDPR makes personal data rights free in most cases, in come some chancers hoping to charge you for using them. And I have one last piece of evidence that when it comes to upholding data protection, in giving people “transparency into this secretive ecosystem“, Falk isn’t the champion of data rights he purports to be.
After five days of arguing and provoking whoever / whatever was running the Yo-Da account, on June 4th, I made a subject access request to the company via the Data Protection Officer’s email address on the Yo-Da website (i.e. the specific address they direct you to make SARs to). I explicitly ruled out any personal data processed on the public Twitter account – that is available to me already and besides, I’ve already seen it. I wanted to see any direct messages, emails or other correspondence generated by my spat with Falk and his bot. Of course, there may not be any data at all. It’s quite possible that Falk didn’t talk to anyone about me or what I was saying, but he could have done. Several times, I questioned the fundamentals of Falk’s interpretation and I also asked whether Trilateral Research, the consultancy he has engaged to be Yo-Da’s DPO, agreed with his views. I wouldn’t be surprised if Falk contacted them about what I was saying, or just complained to his colleagues about what a jerk I was.
However you slice it, the deadline for compliance has passed, and Yo-Da has not responded to my request. I have received no data, no confirmation that data is not held, no request for ID, not even an acknowledgement. Nothing, nada, zip. Benjamin Falk proclaims that he seeks to land a knock-out blow for data subjects through the use of the GDPR rights, but the vehicle for this glorious revolution can’t even be arsed to answer a simple SAR. I wondered before why Trilateral wanted to be associated with Falk’s hyperbolic nonsense, but now he has coupled it with contempt for the law he claims to defend, I wonder if they’ll think again? In any case, everyone who receives one of Yo-Da’s SARs when the service launches knows what they can do.
Ignore it, you can.